diff --git a/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy b/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy index 059c687..899ebeb 100644 --- a/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy +++ b/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy @@ -44,11 +44,14 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown' def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown' def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown' -LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'") +def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ',' +def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',') +def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ',' +def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',') + +LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'") -def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ',' -def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',') if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) { response.setResult('error'); @@ -71,16 +74,18 @@ try { def json = jsonSlurper.parseText(httpResponse.bodyAsString()) LOG.debug('AdressRequired: ' + json.addrRequired) LOG.debug('SvnrAllowed: ' + json.svnrAllowed) - LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist) + LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress) + LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr) // address will be returned to the application if allowed by connect (json.addrRequired) // and the authRequest was done with at least AGOVaq 200 - // BITBKAGOVSUP-362: or whitelisted to receive the address - session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist))) + // BUNDBITBK-4307: or best token for address is enabled + session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress))) // address will be returned to the application if allowed by connect (json.svnrAllowed) // and the authRequest was done with at least AGOVaq 300 - session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300)) + // BUNDBITBK-4307: or best token for svnr is enabled + session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr))) session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe) session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr) diff --git a/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml b/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml index 9800291..69382c9 100644 --- a/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml +++ b/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml @@ -8,7 +8,8 @@ pattern: scriptFile: "res://68665057549fd887ea09fb86#scriptFile" parameters: - url: "${var.connect.metadataservice.url}" - - appAddressRequired.whitelist: "${var.appAddressRequired.whitelist}" + - bestTokenAddressWhitelist: "${var.bestToken.address.whitelist}" + - bestTokenSvnrWhitelist: "${var.bestToken.svnr.whitelist}" onSuccess: - "pattern://f63c475c35b616b7c6c1901c" onFailure: